[Bug 1051108] CVE-2013-7284 perl-PlRPC: pre-auth remote code execution

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



https://bugzilla.redhat.com/show_bug.cgi?id=1051108

Petr Pisar <ppisar@xxxxxxxxxx> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |ratulg@xxxxxxxxxx
              Flags|                            |needinfo?(ratulg@xxxxxxxxxx
                   |                            |)



--- Comment #3 from Petr Pisar <ppisar@xxxxxxxxxx> ---
(In reply to Vincent Danen from comment #2)
> The actual proposed patch to upstream is here:
> 
> *
> https://rt.cpan.org/Public/Ticket/Attachment/1293961/685696/0001-Security-
> notice-on-Storable-and-reply-attack.patch
> 
> Based on the discussion in bug #1030572, there is no real "fix" for this as
> it seems that Storable deserialization is exposed prior to password-based
> authentication (see how AcceptUser is called in the server code).
> 
> MITRE assigned CVE-2013-7284 to this issue.

Is amending the PlRPC documentation with this patch sufficient to close this
bug, or should we keep this open until a real fix in the code (extension of
Storable module and utilizing it in PlRPC) will be available?

-- 
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=0Io151sBRM&a=cc_unsubscribe
--
Fedora Extras Perl SIG
http://www.fedoraproject.org/wiki/Extras/SIGs/Perl
perl-devel mailing list
perl-devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/perl-devel





[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Legacy Announce]     [Fedora PHP Devel]     [Kernel Devel]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite Information]
  Powered by Linux